github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #436 from grooverdan/dos-resistant-roundcube-auth 

BF/ENH: DoS resistant roundcube-auth with test cases and more variation from IMAP responses
pull/437/head
Daniel Black 2013-11-12 12:44:36 -08:00
parent e8aa676cf5 be60518218
commit 0d47ea3348
2 changed files with 34 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
config/filter.d/roundcube-auth.conf
View File

@ -9,8 +9,21 @@ before = common.conf
[Definition] [Definition]
failregex = ^\s*(\[(\s[+-][0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. AUTHENTICATE .*)?\s*$ failregex = ^\s*(\[(\s[+-][0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
ignoreregex = ignoreregex =
# DEV Notes:
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge #
# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
#
# Part after <HOST> comes straight from IMAP server up until the " in ....."
# Earlier versions didn't log the IMAP response hence optional.
#
# DoS resistance:
#
# Assume that the user can inject "from <HOST>" into the imap response
# somehow. Write test cases around this to ensure that the combination of
# arbitary user input and IMAP response doesn't inject the wrong IP for
# fail2ban
#
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black

18
testcases/files/logs/roundcube-auth
View File

@ -4,3 +4,21 @@
May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for sales@example.com from 10.1.1.47 May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for sales@example.com from 10.1.1.47
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" } # failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login) Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
# Made up to attempts to inject a DoS on the server. Assume the user can manipulate the IMAP error response
#
# user = admin from 127.0.0.1
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
#
# IMAP server logs user=${username}
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
#
# Old roundcube version - no IMAP response
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4
#
# user = admin from 127.0.0.1 in
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 in from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)